Mar 03, 2013

Hackback Redux

Last fall, Orin Kerr and I engaged in an online debate over the Computer Fraud and Abuse Act -- specifically whether it is lawful for the victim of computer crime to follow his stolen data into networks controlled by the thief. The debate spread across several posts and into the comments, but it's been pulled into one place here.

Despite its length, I felt that Orin and I still hadn't closed on some important issues, so I was pleased when the Federalist Society invited us to engage in a podcast dialogue about what has been called "active" or "comprehensive" defense. The podcast is here.

The podcast reveals a surprising amount of common ground between Orin and me, especially on the policy front. We agree that law enforcement and intelligence agencies have full authority to engage in such tactics, and that private companies can "borrow" that authority by working with law enforcement agencies -- including the Alameda County Sheriff.

We also agree that the CFAA does not deal effectively with the problem of foreign government hacking, and Orin allowed that a tailored amendment to the CFAA to allow more effective responses would be worth considering. Orin pushes me to specify the limits that backhackers should observe, and I acknowledge the need for some government check on abuses, as well as some limits on backhacking (mainly restricting private parties to the collection of evidence rather than allowing self-help retribution).

The call-in questioners are an all-star team in themselves. Paul Rosenzweig of Lawfare forces me to admit that the foreign-law aspects of backhacking are particularly challenging (for the FBI as well as the private sector). And the eminent Edwin Williamson digs into the international law of investigating computer crime. Letters of marque and reprisal also make a cameo appearance.